Previous article to understand about the difference between CSRF and XSS, then this time we take a look at how to prevent CSRF it
First of all, from the last article we can see, CSRF attacks have a limit, and we can use this to limit him to do related to prevention
Method 1: back-end verification URL request interface at the time of receiving the request, that is HTTP Referer, because CSRF attacks is the use of a user in another site
Unexpired session or cookie simulation request, then we can verify in accepting the request processing is not in our own
Site initiated request, if not dismissed can not execute
Method 2: Use the token, CSRF attack's success is because hackers can forge entirely the user's request, all of the user authentication request
Information is present in a cookie, so hackers can directly use the cookie in the user's own without knowing the authentication information to a secure authentication.
To resist CSRF, wherein the key information into the hackers can not be forged in the request, and the information is not present in the cookie. May request HTTP
Adding a randomly generated token as a parameter, and to establish an interceptor server side to authenticate the token, no token if the request
Or token content is not correct, then that might be a CSRF attack and reject the request.
Method two can refer to jwt authentication: https://www.cnblogs.com/junyi-bk/p/12468272.html
Reference article: https://www.cnblogs.com/lsj-info/p/9479755.html